Rethinking Risk Assessments: Putting People Back in the Equation
Guest post with Musaab Fagiri
Hi Friends,
Today’s post is written by my friend, Musaab Fagiri.
Musaab is a thoughtful business and security leader. He is also an avid learner and, as you will see from this post, simply a good person.
If you’re a security professional wishing to learn or a business leader wanting to improve your organization’s security program, I would encourage you to check out his LinkedIn and send him a message.
Much like our other conversations, his post invigorated my thinking on praxis.
Enjoy!
When we ignore what people are going through, we miss the risks that don’t show up on paper.
When we think of risk assessments in security, we usually start with a few predictable questions:
What’s the asset?
Who or what is the threat?
What’s the likelihood?
What’s the impact?
It’s a solid framework. But if we stop there, we miss something important. Most risk assessments focus on things—doors, fences, systems—not people. In my experience, that’s often where the real risk comes from.
Let me share a quick story.
One morning, I got a call from security. An operations employee had kicked and damaged a locker. He was just starting his shift.
We pulled the footage. Clear frustration. No hesitation.
Normally, this would lead to an investigation, interviews, and maybe disciplinary action. But something about it felt off. This wasn’t someone with a record? Why? So I paused.
Instead of launching into disciplinary mode, I leaned into context. I looked at his file. I looked at his behavior before the incident. I considered what might’ve prevented this—not just punished it. I spoke with coworkers and his direct supervisor. They described him as quiet, respectful, just did his job.
Eventually, I learned he had been struggling with mental health challenges. We couldn’t say exactly what triggered the outburst—maybe the locker was cleared, maybe his personal items were moved. But the event wasn’t random. It had context. That shift made all the difference. It helped us de-escalate. More importantly, it likely helped us avoid what could have turned into a workplace violence incident.
And this is where the theories matter.
Psychological positivism tells us that behavior is often shaped by a person’s mental state and learned coping mechanisms. If someone is under stress, they might not respond rationally—they respond how they’ve learned to survive.
Sociological positivism goes even further: if that employee felt marginalized, overlooked, or lacked a sense of belonging in the workplace, that stress doesn’t stay hidden—it builds until it breaks.
From a realist lens, especially left realism, this isn’t just about one person’s bad day. It’s about a breakdown in the systems that were meant to support him—poor communication, maybe policy changes that weren’t explained, maybe even a lack of psychological safety.
That changed everything for me. This is where theory helps—not just to explain behavior, but to improve how we assess risk before something happens.
Psychological positivism, including Bandura’s social learning theory, reminds us that behavior is shaped by modeled responses and environmental stressors.
→ So in a risk assessment, we should ask: Are employees being exposed to toxic role models or unmanaged stress?
→ What behaviors are being rewarded or normalized—intentionally or not?
Sociological positivism, like strain theory, points to social pressure and deprivation as drivers of deviant behavior.
→ We should be asking: Are there gaps between expectations and resources?
→ Are some teams being pushed harder without adequate support?
Left realism encourages us to examine how inequality, marginalization, and weak support structures contribute to risk.
→ So we might include: Are there parts of the organization where people feel unseen or excluded?
→ Is there a disconnect between leadership and front-line realities?
Right realism reinforces the need for structure, discipline, and early intervention.
→ From this lens, we ask: Are boundaries clear? Are consequences fair and consistent?
→ Are we identifying low-level issues before they escalate?
Each theory gives us a lens—not to predict a person’s behavior, but to ask better questions about the systems, relationships, and pressures that surround them.
And that’s where proactive risk management begins.
So maybe it’s time our risk assessments evolve—not just in method, but in mindset.
Instead of focusing only on physical assets and technical controls, we should also be asking:
What hidden pressures or frustrations exist within the team?
Have recent changes—policies, leadership, workload—introduced unintended risks?
Are there early signs of disengagement or distress we’re ignoring?
Do our people trust the environment enough to speak up before something escalates?
If we don’t include these questions, we’re only assessing half the risk.
Security professionals often ask, “What could go wrong?”
But the better question might be: “What are we overlooking?”